Posted on: April 26, 2018

GDPR and Blockchain: My Rights vs. My Immutable Records

As the winter snow finally begins to melt across northern planet Earth this Spring, millions of once-frozen footprints will be permanently erased from the geologic record. At the same time, the 25th of May to be precise, the European Union’s General Data Protection Regulation (GDPR) will go into effect, affording protected individuals the right - - among many others - - to be digitally forgotten.

But can the GDPR co-exist with Blockchain, one of today’s most promising technologies?

GDPR Technology Impact

What is Blockchain?

Blockchain constructs an immutable historical ledger of events and transactions, an infinite number of which may include personally-identifiable information. Unlike snowy footprints that eventually dissolve into the ground beneath them, Blockchain data is intended to live forever and may pose challenges for organizations that wish to comply with the GDPR.

Let’s face it. Laws and regulations cannot keep pace with the breakneck speed at which technological advances come to market. At the time the details of the GDPR were hatched, Blockchain was principally an academic experiment to drive cryptocurrencies as an alternative to traditional “money,” the most popular of which was engineered by a still-anonymous computer programmer. Its goal is to prevent fraud by maintaining and exposing a centralized ledger of historical transactions so that each participant can verify that no monkey business has occurred. It’s the elephant in the room who never forgets.

Blockchain can be used to memorialize and enforce contracts, but how do we verify the identity of the parties if they are not part of the chain? It can be used in voting systems, credit history, trusts and estates, and as a defense to hacking. And let’s not forget about hot-potato topics like medical records and firearm safety.

Lawsuits are already piling up ahead of the GDPR’s effective date, many with crowdsourced funding from individuals, municipalities, companies, and even labor unions who are anxious to test the boundaries.

The most practical and useful applications of Blockchain require some form of personal identity and/or authentication. If that information is stored outside of the chain in order to satisfy privacy regulations, it may defeat the technology’s core competency by expanding the potential attack surface for fraudsters and swindlers.

Litigation Challenges with GDPR and BlockChain

As with most intersections of law and technology, the GDPR’s purposeful ambiguity will result in courts ironing out the practical details as a result of investigations and inevitable litigation. In fact, courts are still weighing challenges and defenses to 2016’s Privacy Shield framework that seeks to put a construct around the handling of personal data that traverses the pond between the United States and the European Union.

Meanwhile, lawsuits are already piling up ahead of the GDPR’s effective date, many with crowdsourced funding from individuals, municipalities, companies, and even labor unions who are anxious to test the boundaries.

If we embrace Blockchain in its purest form, our snowy footprints will never melt and our right to be forgotten becomes impossible to execute. In the EU, the application of Blockchain may be reduced to mundane areas such as cargo tracking and product recalls while the rest of the world reaps the benefits of improved financial, medical, and civil services that the technology promises. Only time will tell if the GDPR and Blockchain can peacefully co-exist.